[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Question: a group of peernames ?
> > Hi everyone,
> >
> > I'm searching for a way to Limit Access to a list of Hosts.
> >
> > Is it possible to have a group of hostnames and/or ips in
> > the LDAP Tree and limit Access to hosts in that group ?
> >
> > An other way will to generate iptables rules out of
> > the LDAP Directory with a little script.
> > But this is not the perfect way.
>
> That seems like a pretty good way:
>
> 1) The access control is done in the kernel, so slapd isn't
> bothered by attacks;
>
> 2) Your script can be server-independent (e.g. could work with
> some other LDAP server implementation);
>
> 3) Your script can run in the firewall, rather than on your LDAP
> server host;
>
> 4) Your access control can be more dynamic, responding to changes
> in your LDAP directory content -- AFAIK ACLs can't be
> changed at runtime.
>
> Bob G
1) Yes it will be faster in kernel than in slapd
2) right, but i have only openldap servers
3) i dont have control over the firewall
4) when using ipchains a restart of the skript
is needed after every change.
But i think access control in slapd will be
the better way for me because:
- I can give finer permissions
I have 3 Directorys in my rootdn
not all host need access to all
Directorys.
- Changes are relpicated to the slave
and no restart of a script is needed.
--
Markus Benning
.^.
/V\ Tel. : +49 9131 7 21713
/( )\ Email: Markus.Benning@siemens.com
^^-^^ __________________________________